Phishing
Last updated
Last updated
Homoglyphs are Unicode characters that look visually similar to an ASCII character, but are different. You can use these to make your phishing attacks more convincing.
Note: Gmail shows a warning when this is used, but not all email providers do.
Also, you can register a domain with a homoglyph and direct users there.
Using Javascript, you can make a fake window that looks exactly like Facebook and that asks you for the login (for OAuth logins).
If a website has a link like this:
Or like this:
Then it’s vulnerable to reverse tabnabbing (tested 23 May 2019 on Firefox and Chrome).
Note: target="_blank" is used to get the link to open in a new tab.
When you have target="_blank", then you should also really have rel="noopener noreferrer" next to it. Otherwise, bad.example.com will have the window.opener object available to it.
If the website bad.example.com runs this Javascript:
Then the original tab will be redirected to a phishing site.
Example: Facebook lets you link to your site using target="_blank". On your site, you run the above Javascript and the original Facebook tab will be redirected to https://phish.example.com. Assuming you control that domain, you can have it be a phishing site that asks the user to re-enter their password, or something similar.
Targeted attacks:
One way to do this is via open relay servers, but those might get blacklisted and there’s a better alternative:
Buy a domain (or use a free one that allows emails to be sent, like 000webhostapp) and create a PHP script that allows you to send emails with custom SMTP headers.
This works after changing the form action in index.php:
Note: the script doesn't accept unicode.
Hosted at http://oger55.000webhostapp.com/spoofer/
